Google is closing a loophole that allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy activists after the US Supreme Court’s decision to end women’s constitutional right to abortion.
It also took another step on Friday to limit the risk that smartphone data could be used to enforce new abortion restrictions, announcing that it would automatically delete the location history of phones that have been near a sensitive medical location such as a clinic for abortions.
The Silicon Valley company’s moves come amid growing fears that mobile apps will be weaponized by US states to police the country’s new abortion restrictions.
The companies have previously collected and sold information on the open market, including lists of Android users using apps related to cycle tracking, pregnancy and family planning, such as Planned Parenthood Direct.
In the past week, researchers and privacy advocates have urged women to delete period-tracking apps from their phones to avoid being tracked or penalized for considering an abortion.
The US tech giant announced last March that it would limit the feature that allows developers to see which other apps have been installed and deleted on people’s phones. That change was supposed to be rolled out last summer, but the company was unable to meet that deadline, citing the pandemic, among other reasons.
The new July 12 deadline comes just weeks after Roe vs Wade was overturned, a decision that shed light on how smartphone apps could be used for surveillance by US states with new anti-abortion laws.
“It’s long overdue. Data brokers have been prohibited from using the data under Google’s terms for a long time, but Google has not built safeguards into the app approval process to catch this behavior. They just ignored it,” said Zach Edwards, an independent cybersecurity researcher who has been investigating the loophole since 2020.
“So now anyone with a credit card can buy that data online,” he added.
Google said: “In March 2021, we announced that we plan to limit access to this permission so that only utility apps, such as device finder apps, antivirus programs, and file management apps, can see what other apps are installed on the phone.”
It adds: “Collecting app inventory data to sell or share it for analytics or ad monetization has never been allowed on Google Play.”
Despite its widespread use by app developers, users remain unfamiliar with this feature in Android software—a Google-designed programming interface, or API, known as “All Packages Query.” It allows apps, or third-party code snippets within them, to query the inventory of all other apps on a person’s phone. Google itself listed this type of data as high-risk and “sensitive” and it was discovered that it was being sold to third parties.
The researchers found that app inventories “can be used to accurately infer the interests and personality traits of end users,” including gender, race, and marital status, among other things.
Edwards has discovered that one data marketplace, Narrative.io, openly sells data obtained from intermediaries in this way, including smartphones used by Planned Parenthood and various cycle tracking apps.
Narrative said it removed the pregnancy and period tracking app’s data from its platform in May in response to a leaked draft outlining the upcoming Supreme Court ruling.
Another research company, Pixalate, found that consumer apps, like a simple weather app, ran pieces of code that used the same Android feature and collected data for a Panamanian company with ties to U.S. defense contractors.
Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we find violations, we take action,” adding that it has sanctioned multiple companies believed to be selling user data.
Google said it will limit the Query All Packages feature to only those who request it starting July 12. App developers will be required to fill out a statement explaining why they need access and notify Google before the deadline so it can be reviewed.
“Fraudulent and undeclared use of these permissions may result in suspension of your application and/or termination of your developer account,” the company warned.
Additional reporting by Richard Waters
Add Comment